ssl: gnutls: bump dh bitsize to 2048

[ngircd-alex.git] / src / ngircd / conn-ssl.c

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index 1b4da3ce047695a99456f58533a6335631940554..7630420dad36bfa46e2dbb0590e382055f3d7979 100644 (file)
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -1,11 +1,15 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- *
- * SSL wrapper functions.
  * Copyright (c) 2005-2008 Florian Westphal <fw@strlen.de>
  */
 
 #include "portab.h"
+
+/**
+ * @file
+ * SSL wrapper functions
+ */
+
 #include "imp.h"
 #include "conf-ssl.h"
 
@@ -47,7 +51,7 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c ));
 #include <unistd.h>
 #include <gnutls/x509.h>
 
-#define DH_BITS 1024
+#define DH_BITS 2048
 static gnutls_certificate_credentials_t x509_cred;
 static gnutls_dh_params_t dh_params;
 
@@ -383,10 +387,10 @@ ConnSSL_Init_SSL(CONNECTION *c)
        int ret;
        assert(c != NULL);
 #ifdef HAVE_LIBSSL
-       assert(ssl_ctx);
-       if (!ssl_ctx)   /* NULL when library initialization failed */
+       if (!ssl_ctx) {
+               Log(LOG_ERR, "Cannot init ssl_ctx: OpenSSL initialization failed at startup");
                return false;
-
+       }
        assert(c->ssl_state.ssl == NULL);
 
        c->ssl_state.ssl = SSL_new(ssl_ctx);
@@ -407,6 +411,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
        if (ret < 0) {
                Log(LOG_ERR, "gnutls_set_default_priority: %s", gnutls_strerror(ret));
                ConnSSL_Free(c);
+               return false;
        }
        /*
         * The intermediate (long) cast is here to avoid a warning like:
@@ -419,6 +424,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
        if (ret < 0) {
                Log(LOG_ERR, "gnutls_credentials_set: %s", gnutls_strerror(ret));
                ConnSSL_Free(c);
+               return false;
        }
        gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS);
 #endif
@@ -433,10 +439,7 @@ ConnSSL_PrepareConnect(CONNECTION *c, UNUSED CONF_SERVER *s)
        bool ret;
 #ifdef HAVE_LIBGNUTLS
        int err;
-#endif
-       assert(c != NULL);
-       assert(s != NULL);
-#ifdef HAVE_LIBGNUTLS
+
        err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_CLIENT);
        if (err) {
                Log(LOG_ERR, "gnutls_init: %s", gnutls_strerror(err));
@@ -471,8 +474,6 @@ ConnSSL_HandleError( CONNECTION *c, const int code, const char *fname )
        unsigned long sslerr;
        int real_errno = errno;
 
-       assert( fname );
-
        ret = SSL_get_error(c->ssl_state.ssl, code);
        switch (ret) {
        case SSL_ERROR_WANT_READ:
@@ -484,8 +485,8 @@ ConnSSL_HandleError( CONNECTION *c, const int code, const char *fname )
                Conn_OPTION_ADD(c, CONN_SSL_WANT_WRITE); /* fall through */
        case SSL_ERROR_NONE:
                return 0;       /* try again later */
-       case SSL_ERROR_ZERO_RETURN:     /* TLS/SSL Connection was shut down */
-               LogOpenSSLError("TLS/SSL Connection shutdown", fname);
+       case SSL_ERROR_ZERO_RETURN:
+               LogDebug("TLS/SSL connection shut down normally");
                break;
        /*
        SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT, SSL_ERROR_WANT_X509_LOOKUP
@@ -518,15 +519,14 @@ ConnSSL_HandleError( CONNECTION *c, const int code, const char *fname )
        switch (code) {
        case GNUTLS_E_AGAIN:
        case GNUTLS_E_INTERRUPTED:
-       if (gnutls_record_get_direction(c->ssl_state.gnutls_session)) { /* need write */
-               io_event_del(c->sock, IO_WANTREAD);
-               Conn_OPTION_ADD(c, CONN_SSL_WANT_WRITE); /* fall through */
-               break;
-       } else { /* need read */
-               io_event_del(c->sock, IO_WANTWRITE);
-               Conn_OPTION_ADD(c, CONN_SSL_WANT_READ);
+               if (gnutls_record_get_direction(c->ssl_state.gnutls_session)) {
+                       Conn_OPTION_ADD(c, CONN_SSL_WANT_WRITE);
+                       io_event_del(c->sock, IO_WANTREAD);
+               } else {
+                       Conn_OPTION_ADD(c, CONN_SSL_WANT_READ);
+                       io_event_del(c->sock, IO_WANTWRITE);
+               }
                break;
-       }
        default:
                assert(code < 0);
                if (gnutls_error_is_fatal(code)) {
@@ -546,8 +546,7 @@ ConnSSL_LogCertInfo( CONNECTION *c )
 #ifdef HAVE_LIBSSL
        SSL *ssl = c->ssl_state.ssl;
 
-       assert( c );
-       assert( ssl );
+       assert(ssl);
 
        Log(LOG_INFO, "New %s connection using cipher %s on socket %d.",
                SSL_get_version(ssl), SSL_get_cipher(ssl), c->sock);
@@ -575,11 +574,8 @@ int
 ConnSSL_Accept( CONNECTION *c )
 {
        assert(c != NULL);
-#ifdef HAVE_LIBSSL
-       if (!c->ssl_state.ssl) {
-#endif
-#ifdef HAVE_LIBGNUTLS
        if (!Conn_OPTION_ISSET(c, CONN_SSL)) {
+#ifdef HAVE_LIBGNUTLS
                int err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_SERVER);
                if (err) {
                        Log(LOG_ERR, "gnutls_init: %s", gnutls_strerror(err));
@@ -601,9 +597,7 @@ ConnSSL_Connect( CONNECTION *c )
 #ifdef HAVE_LIBSSL
        assert(c->ssl_state.ssl);
 #endif
-#ifdef HAVE_LIBGNUTLS
        assert(Conn_OPTION_ISSET(c, CONN_SSL));
-#endif
        return ConnectAccept(c, true);
 }
 
@@ -623,7 +617,6 @@ ConnectAccept( CONNECTION *c, bool connect)
 #endif
 #ifdef HAVE_LIBGNUTLS
        (void) connect;
-       assert(Conn_OPTION_ISSET(c, CONN_SSL));
        ret = gnutls_handshake(c->ssl_state.gnutls_session);
        if (ret)
                return ConnSSL_HandleError(c, ret, "gnutls_handshake");
@@ -648,7 +641,8 @@ ConnSSL_Write(CONNECTION *c, const void *buf, size_t count)
 #ifdef HAVE_LIBGNUTLS
        bw = gnutls_write(c->ssl_state.gnutls_session, buf, count);
 #endif
-       if ( bw > 0 ) return bw;
+       if (bw > 0)
+               return bw;
        if (ConnSSL_HandleError( c, bw, "ConnSSL_Write") == 0)
                errno = EAGAIN; /* try again */
        return -1;
@@ -685,11 +679,8 @@ ConnSSL_GetCipherInfo(CONNECTION *c, char *buf, size_t len)
 {
 #ifdef HAVE_LIBSSL
        char *nl;
+       SSL *ssl = c->ssl_state.ssl;
 
-       SSL *ssl;
-       assert(c != NULL);
-       assert(len >= 128);
-       ssl = c->ssl_state.ssl;
        if (!ssl)
                return false;
        *buf = 0;
@@ -700,8 +691,6 @@ ConnSSL_GetCipherInfo(CONNECTION *c, char *buf, size_t len)
        return true;
 #endif
 #ifdef HAVE_LIBGNUTLS
-       assert(c != NULL);
-       assert(len >= 128);
        if (Conn_OPTION_ISSET(c, CONN_SSL)) {
                const char *name_cipher, *name_mac, *name_proto, *name_keyexchange;
                unsigned keysize;